48 posts categorized "Fraud"

17 November 2009

The Open Security Foundation's (OSF) DataLossDB project is an interesting resource for information about data and confidentiality breaches. At a glance, it gives you news, latest breaches, a timeline of breach numbers, a "top ten" list, and other references you can use in security awareness materials, or for risk analysis.
Read more →

16 November 2009

Amusing video from the BBC. A report on pigs managing to figure out how to get more food from an automated control system. If even pigs can (accidentally) figure out how to defeat access controls, what do you have to do to prevent determined attackers? (Actually, pigs are pretty clever critters ...)
Read more →

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more.
Read more →

10 August 2009

OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security? And I answer "No." With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it. What I disagree with is the question. The CBK already addresses...
Read more →

07 July 2009

Ars Technica has an interesting article titled New algorithm guesses SSNs using date and place of birth. It describes how the date and location of birth can be gleaned from social networking sites such as Facebook, and then used in a new algorithm to guess the person's SSN "with a startling degree of accuracy." An inference attack, in other words. Per reference.com: "An Inference attack occurs when a user is able to infer from trivial information more robust information about a database without directly accessing it. The object of Inference attacks is to piece together information at one security level...
Read more →

25 March 2009

Compliance will not always guarantee that your information security assets are well protected. Security is beyond compliance. An example In the last week of Januray 2009, Heartland Payment Systems announced that their network were compromised and hackers accessed their customer information.Hackers had access to Heartland's network for more than a week. Heartland is one of the largest payment processor in the world which process more than 11 million transactions a day and more than $80 billion in transactions a year. Heartland were PCI DSS compliant but they did not notice the hacker activities until they were alerted by Visa and...
Read more →

16 March 2009

We talk about risk, risk assessment, risk analysis, and risk management. A lot. But people are remarkably bad at really understanding risks. This web page and animation on understanding uncertainty was created to address medical risks. However, it points out a number of ways that we can either misrepresent, or misunderstand, risk in general.
Read more →

04 March 2009

"Two men who plotted to steal £229m from a bank using software have been found guilty for their roles in the scam. "Lord" Hugh Rodley, of Gloucestershire, who bought his title, was convicted of conspiracy charges dating back to 2004. Gang members had installed spyware on computers at the London offices of Sumitomo Mitsui bank in order to steal money from big business accounts. Soho sex shop owner David Nash, 47, from Durrington, West Sussex, was also convicted at Snaresbrook Crown Court. He had been used by Rodley to front accounts into which the funds would have been channelled, the...
Read more →

26 February 2009

Fast flux, the rapid rotation of DNS records to point from a single domain name to a number of separate machines, is widely used in malware serving, phishing scams, and other related net nastiness. Unfortunately, the basic concepts are also used for legitimate purposes, such as performance enhancement on large and popular sites, or the prevention of net censorship. The initial report of the Fast Flux Hosting Working Group of the Generic Names Supporting Organization (GNSO)of ICANN (Internet Corporation for Assigned Names and Numbers)contains a good deal of information and thought, and should receive wider dissemination and consideration than it...
Read more →

20 February 2009

A new company is telling everyone which new companies are worth investing in. Is this something we should get into? http://news.bbc.co.uk/go/em/-/2/hi/technology/7900463.stm "The software measures the "buzz" surrounding a company via blogs and media reports along with a variety of factors including website traffic." We should all blog and Twitter about this. Then we should all blog about how blogging is so last year. (There are just so many things wrong with this ...)
Read more →

22 January 2009

In last few days I noticed a huge spike in the number of phishing e-mails in my inbox. Most of them came disguised as e-mails from Microsoft Live support team regarding a possible account closure or reactivation. I have seen similar kind of phishing scams in past but this time the number of such e-mails were very huge. In a single day I got more than 100 such e-mails. None of them went to my junk folder but directly came to my inbox though I have good phishing/spam filters in place. I even received 2-3 follow-up e-mails from few e-mail...
Read more →

14 January 2009

See today’s DHS Daily Open Source Infrastructure Report (DOSIR) for information regarding potential disk encryption compromise as well as a countermeasure which has already been installed in one product. Is it the one which you are using? The report is available at http://www.dhs.gov/xlibrary/assets/DHS_Daily_Report_2009-01-14.pdf for the next two weeks. Later, it can be found at http://www.hspig.org/phpbb/viewforum.php?f=20.
Read more →

When I started in information security we nearly danced with joy when an article in one of the trade journals focused upon infosec or contingency planning. Today there are so many, as well as blogs, that it is virtually impossible to identify all of the sources, never mind read them all. Add to that, so many are not appropriate to your specific perspective, configuration or enterprise. However, there is one source that may help and perhaps help a great deal. You see, the Department of Homeland Security (DHS) publishes a daily report of relevant articles which DHS views as threats...
Read more →

05 January 2009

Following up on my 2008 list of top cybersecurity threats, I have just published The Top Ten Cybersecurity Threats for 2009 for public comments. If you are interested in cybersecurity threats, kindly email your suggestions or comments directly to me (tim dot silkroad at gmail dot com). I will review all comments, consolidate in a Google Docs spreadsheet, and publish the final version later this month (including acknowledgments). There are a number of interesting changes and additions to the top cybersecurity threat list this year, including exploitation of social networks and the criminal use of cloud computing and software-as-a-service infrastructures...
Read more →

31 December 2008

A group recently published a paper at the 25th Annual Chaos Communication Congress in Berlin, called "MD5 considered harmful today: Creating a rogue CA certificate." This has resulted in a lot of speculation. Here is the paper itself for your consideration and analysis.
Read more →

About the (ISC)² Blog

As the certifying body for more than 125,000 cyber, information, software and infrastructure security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other security professionals and the public at large.

The (ISC)² blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)² website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org